srv6ops N. Zhang, Ed. Internet-Draft X. Yi, Ed. Intended status: Standards Track China Unicom Expires: 24 April 2025 21 October 2024 IFIT-based anomaly monitoring and tracing in data circulation draft-zhang-srv6ops-abn-mon-data-circulation-00 Abstract This document proposes a deployment scheme of IFIT-based anomaly monitoring and tracing in data circulation. Use cases and requirements are discussed, and a deployment scheme is described in detail. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 24 April 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Zhang & Yi Expires 24 April 2025 [Page 1] Internet-Draft IFIT-based anomaly monitoring and tracin October 2024 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Data sharing between enterprises . . . . . . . . . . . . 3 3.2. Data sharing of technology project . . . . . . . . . . . 3 4. Requirement . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1. Monitoring and tracing of attacked nodes . . . . . . . . 3 4.2. Monitoring and tracing of illegal nodes . . . . . . . . . 4 5. Deployment scheme of IFIT-based anomaly monitoring and tracing in data circulation . . . . . . . . . . . . . . . . . . . 4 6. Deployment effect . . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 9.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction In this era of booming digital economy, data has become an important asset, and the value of data is increasingly prominent. Data circulation and sharing can enhance the efficiency of resource utilization and promote technological innovation. However, there are some problems in data circulation. First, the systems between different institutions and different regions are heterogeneous, and the data formats and encoding methods are different, so it is necessary to solve the problem of sharing and circulation of these differentiated data. Second, the new data circulation supervision platform requires users to rent server resources, resulting in an increase in user costs. Third, the platform and the network need to collaborate to solve the leakage risk of shared data at the network layer. In order to solve the above problems, network is suitable as a medium for cross-institution and cross-region data circulation supervision. The process of data circulation can be monitored and traced through network technology. IFIT is one of the preferred method for monitoring and tracing abnormal paths in data circulation. Compared with traditional network operation and maintenance technology, it has the characteristics of high precision, real-time and visualization. IFIT [I-D.song-opsawg-ifit-framework] performs feature marking by inserting IFIT headers into real service messages to directly detect performance indicators such as network delay, packet loss, and jitter. Zhang & Yi Expires 24 April 2025 [Page 2] Internet-Draft IFIT-based anomaly monitoring and tracin October 2024 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Abbreviations and definitions used in this document: *IFIT: In-situ Flow Information Telemetry. 3. Use Cases 3.1. Data sharing between enterprises Data sharing between enterprises can enable faster access to necessary information and improve productivity. However, data sharing between enterprises involves compliance and commercial confidentiality issues, and cross-enterprise data interactions need to avoid the risk of sensitive data leakage. Therefore, regulators need to control the process of data interaction and trace the behavior. 3.2. Data sharing of technology project Medical data sharing can bring more convenient and efficient healthcare services to patients by reducing duplication of examinations and increasing information transparency. However, medical data involves personal privacy and sensitive information, which may have serious consequences for individuals in case of leakage. Therefore, the process of circulation needs to be monitored. 4. Requirement The monitoring of data circulation process based on network technology mainly requires the network to have monitoring and tracing function of attacked nodes and illegal nodes. 4.1. Monitoring and tracing of attacked nodes Current attack tracing schemes can be roughly divided into two types: attack path reconstruction based on traffic characteristics or packet marking. Attack path reconstruction based on traffic characteristics reconstructs the attack path according to the difference between the attack traffic and the normal traffic characteristics, which is easy to deploy as it is executed at the controller. However, this scheme requires the controller to collect data circulation information for a Zhang & Yi Expires 24 April 2025 [Page 3] Internet-Draft IFIT-based anomaly monitoring and tracin October 2024 certain period of time, so the real-time performance of tracing is poor. In addition, the comparison of traffic characteristics and network path tracing are both completed by the controller, which increases the data transmission volume and controller processing pressure when the network scale is large. The attack path reconstruction algorithm based on packet marking carries path information by inserting markers in the packet header, and finally,restores the forwarding path according to the markers. In this scheme, the extra marking field increases the packet length, causing the extra bandwidth consumption. Meanwhile, during the packet forwarding process, the attacker’s modification of packet header markers will cause the path reconstruction failure. 4.2. Monitoring and tracing of illegal nodes The current network tracing technology mainly focuses on attack traffic, and there is no scheme to monitor and trace illegal nodes in the circulation process. 5. Deployment scheme of IFIT-based anomaly monitoring and tracing in data circulation Figure 1 shows the architectural schematic of the deployment scheme. +------------------------------+ |Management and Controll System| +------------------------------+ / | \ +-------+ +------------+ +-------+ |Ingress| |Intermediate| |Egress | |Geteway| <--> | Node | <--> |Geteway| +-------+ +------------+ +-------+ <--------------------IFIT--------------------> Figure 1: IFIT-Anomaly-Monitoring The specific implementation process is as follows: a.The management and control system sets the jitter threshold according to the service type, and initializes the packet loss threshold and delay threshold according to the routing result. b.The management and control system sends an IFIT end-to-end detection command to the ingress gateway, and the ingress gateway adds the IFIT packet header for the data traffic. c.The egress gateway collects data of the data traffic and reports it to the management and control system. When the control system finds an anomaly (delay or packet loss exceeding the threshold), it sends a hop-by-hop detection command to the ingress gateway. The ingress gateway adds an IFIT hop-by-hop mode marker for the data traffic. Zhang & Yi Expires 24 April 2025 [Page 4] Internet-Draft IFIT-based anomaly monitoring and tracin October 2024 d.The network intermediate node reports the detection data, and the control system summarizes and analyzes the detection data. First, according to the analysis results, the system determines whether there is an increase in delay or packet loss due to path switching triggered by physical link failures. Second, the queue length in the node is detected to determine whether there is a congestion. If neither, then anomaly analysis is performed. d1. When the packet loss exceeds the threshold, the system starts to locate nodes with increased packet loss, and then it is determined that the node may be an attacked node. d2. When the delay exceeds the threshold, the system start to locate that the abnormal delay jitter is occured between which two nodes, and then it is determined that the data traffic goes out from here to the illegal node. e. The management and control system reconstructs the network path of attack and illegal traffic based on the hop-by-hop detection result. 6. Deployment effect The scheme monitors the real packet traffic based on IFIT, which has high real-time performance. And the accuracy of anomaly detection is improved by excluding path switching and congestion through a fine hop-by-hop detection mode. The scheme detects the delay and jitter of data traffic through the IFIT, which can simultaneously realize network attack detection and illegal path traffic detection. The scheme triggers the hop-by-hop detection mode only when the delay or packet loss exceeds the threshold, and performs only end-to-end detection at other times, thus greatly reducing the data transmission volume and processing pressure of the network equipment and the management and control system. The scheme does not need to add long markers to the packet header at each network node, and only adds the IFIT packet header to the packet at the ingress gateway, so there is no additional bandwidth consumption. 7. Security Considerations TBD Zhang & Yi Expires 24 April 2025 [Page 5] Internet-Draft IFIT-based anomaly monitoring and tracin October 2024 8. IANA Considerations TBD 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 9.2. Informative References [I-D.song-opsawg-ifit-framework] Song, H., Qin, F., Chen, H., Jin, J., and J. Shin, "Framework for In-situ Flow Information Telemetry", Work in Progress, Internet-Draft, draft-song-opsawg-ifit- framework-21, 23 October 2023, . Authors' Addresses Naihan Zhang (editor) China Unicom Beijing China Email: zhangnh12@chinaunicom.cn Xinxin Yi (editor) China Unicom Beijing China Email: yixx3@chinaunicom.cn Zhang & Yi Expires 24 April 2025 [Page 6]